eBay has investigated a vulnerability on its UK marketplace and said that despite the risks, it won’t make any changes. eBay’s Vice President of Global Managed Marketplace took to the eBay UK announcement board to make public its decision. Lynda Talgo said, “After a recent review of our processes and policies, we believe the benefits of allowing active content to our customers outweigh the extremely low likelihood of being exposed to them.”
eBay’s announcement was in response to relentless reporting by the BBC, which exposed security vulnerabilities on eBay’s UK marketplace last month.
eBay allows the use of active content on its marketplace, including Java Script, Flash, links, videos and pictures, Talgo confirmed. The BBC had said that the policy significantly raised the likelihood that malicious code could be included within the site’s pages due to a hacking technique known as cross-site scripting (XSS).
eBay had called the BBC’s first report of the XSS hack an “isolated incident.” The BBC followed up with a report that it had identified over 100 listings that had been exploited to trick customers into handing over personal data. “It meant users clicking on eBay listings that appeared legitimate were being automatically re-directed to harmful websites designed to steal user information, including credit card details,” the BBC wrote.
But Talgo wrote on Monday, “It’s important to understand that malicious content on our marketplace is extraordinarily uncommon, which we estimate to be less than two listings per million that use active content on the eBay marketplace.”
She said sellers used active content to cross-merchandise items, personalize and brand eBay stores, incorporate videos into listings, and provide links to eBay stores, for example.
eBay took claims that its customers were vulnerable due to cross-site scripting extremely seriously, Talgo said – “nothing is more important than the trust of our customers,” and she said eBay had conducted an internal investigation of its processes and policies.
She described how eBay combats the use of malicious code in her post on the eBay UK announcement board, and she said eBay removes the vast majority of listings containing malicious content within one hour of detection.
She advised customers who spot listings of concern to use the “report item” function at the bottom right of the listing page.
As we noted on the EcommerceBytes Blog last month, the BBC reporting came on the heels of eBay’s data breach earlier in the year.